SSRT101667

GLSA-201502-12

http://www-01.ibm.com/support/docview.wss?uid=swg21672080

http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

66904

RHSA-2014:0413

The remote host is affected by the vulnerability described in GLSA-201502-12 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Oracle&rsquo;s Java SE       Development Kit and Runtime Environment. Please review the CVE       identifiers referenced below for details.
  Impact :

    A context-dependent attacker may be able to execute arbitrary code,       disclose, update, insert, or delete certain data.
  Workaround :

    There is no known workaround at this time.

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

[Updated 12th May 2014] The package list in this erratum has been updated to make the packages available in the Oracle Java for Red Hat Enterprise Linux 6 Workstation x86_64 channels on the Red Hat Network.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428)

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 55 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The remote host has a version of IBM Notes (formerly Lotus Notes) 9.0.x prior to 9.0.1 Fix Pack 2 (FP2) installed. It is, therefore, affected by the following vulnerabilities :

  - An unspecified error exists related to the TLS     implementation and the IBM HTTP server that could allow     certain error cases to cause 100% CPU utilization. Note     this issue only affects Microsoft Windows hosts.
    (CVE-2014-0963)

  - Fixes in the Oracle Java CPU for April 2014 are included     in the fixed IBM Java release, which is included in the     fixed IBM Domino release.
    (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429,     CVE-2014-0446, CVE-2014-0448, CVE-2014-0449,     CVE-2014-0451, CVE-2014-0452, CVE-2014-0453,     CVE-2014-0454, CVE-2014-0455, CVE-2014-0457,     CVE-2014-0458, CVE-2014-0459, CVE-2014-0460,     CVE-2014-0461, CVE-2014-1876, CVE-2014-2398,     CVE-2014-2401, CVE-2014-2402, CVE-2014-2409,     CVE-2014-2412, CVE-2014-2414, CVE-2014-2420,     CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,     CVE-2014-2428)

The version of IBM Domino (formerly Lotus Domino) installed on the remote host is 9.0.x prior to 9.0.1 Fix Pack 2 (FP2). It is, therefore, affected by the following vulnerabilities :

  - An unspecified error exists related to the TLS     implementation and the IBM HTTP server that could allow     certain error cases to cause 100% CPU utilization. Note     this issue only affects Microsoft Windows hosts.
    (CVE-2014-0963)

  - Fixes in the Oracle Java CPU for April 2014 are included     in the fixed IBM Java release, which is included in the     fixed IBM Domino release.
    (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429,     CVE-2014-0446, CVE-2014-0448, CVE-2014-0449,     CVE-2014-0451, CVE-2014-0452, CVE-2014-0453,     CVE-2014-0454, CVE-2014-0455, CVE-2014-0457,     CVE-2014-0458, CVE-2014-0459, CVE-2014-0460,     CVE-2014-0461, CVE-2014-1876, CVE-2014-2398,     CVE-2014-2401, CVE-2014-2402, CVE-2014-2409,     CVE-2014-2412, CVE-2014-2414, CVE-2014-2420,     CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,     CVE-2014-2428)

  - A man-in-the-middle (MitM) information disclosure     vulnerability, known as POODLE, exists due to the way     SSL 3.0 handles padding bytes when decrypting messages     encrypted using block ciphers in cipher block chaining     (CBC) mode. A MitM attacker can decrypt a selected byte     of a cipher text in as few as 256 tries if they are able     to force a victim application to repeatedly send the     same data over newly created SSL 3.0 connections.
    (CVE-2014-3566)

According to its version, the IBM Domino (formerly IBM Lotus Domino) application on the remote host is 9.x prior to 9.0.1 Fix Pack 2 (FP2).
It is, therefore, affected by the following vulnerabilities :

  - An unspecified error exists related to the TLS     implementation and the IBM HTTP server that could allow     certain error cases to cause 100% CPU utilization. Note     that this issue only affects Microsoft Windows hosts.
    (CVE-2014-0963)

  - Fixes in the Oracle Java CPU for April 2014 are included     in the fixed IBM Java release, which is included in the     fixed IBM Domino release.
    (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429,     CVE-2014-0446, CVE-2014-0448, CVE-2014-0449,     CVE-2014-0451, CVE-2014-0452, CVE-2014-0453,     CVE-2014-0454, CVE-2014-0455, CVE-2014-0457,     CVE-2014-0458, CVE-2014-0459, CVE-2014-0460,     CVE-2014-0461, CVE-2014-1876, CVE-2014-2398,     CVE-2014-2401, CVE-2014-2402, CVE-2014-2409,     CVE-2014-2412, CVE-2014-2414, CVE-2014-2420,     CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,     CVE-2014-2428)

Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary.

The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428)

All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR1 release. All running instances of IBM Java must be restarted for the update to take effect.

The version of Java SDK installed on the remote host is potentially affected by the following vulnerabilities :

  - There is an information disclosure flaw in libjpeg and     libjpeg-turbo allowing remote attackers access to     uninitialized memory via crafted JPEG images.
    (CVE-2013-6629)

  - A vulnerability in libpng allows denial of service     attacks via a flaw in pngtran.c pngset.c.
    (CVE-2013-6954)

  - Vulnerabilities in Oracle Java allow remote code     execution via flaws in 2D image handling.
    (CVE-2014-0429, CVE-2014-2401, CVE-2014-2421)

  - A vulnerability in Oracle Java allows remote code     execution via a flaw in logger handling.
    (CVE-2014-0446)

  - Vulnerabilities in Oracle Java allow remote code     execution via flaws in the Deployment subcomponent.
    (CVE-2014-0448, CVE-2014-0449, CVE-2014-2409,     CVE-2014-2420, CVE-2014-2428)

  - A vulnerability in Oracle Java allows a remote attacker     to bypass security features through flaws in AWT.
    (CVE-2014-0451, CVE-2014-2412)

  - A vulnerability in Oracle Java allows a remote attacker     to bypass security features through flaws in     W3CEndpointReference.java. (CVE-2014-0452)

  - An information disclosure vulnerability in Oracle Java     RSAPadding allows a remote attacker to view timing     information protected by encryption. (CVE-2014-0452)

  - A vulnerability in Oracle Java allows a remote attacker     to modify the SIGNATURE_PRIMITIVE_SET through flaws in     SignatureAndHalshAlgorithm and AlgorithmChecker.
    (CVE-2014-0454)

  - A vulnerability in Oracle Java allows remote code     execution via a flaw in MethodHandles.java.
    (CVE-2014-0455)

  - A vulnerability in Oracle Java allows remote code     execution via a flaw in exception handling.
    (CVE-2014-0457)

  - Vulnerabilities in Oracle Java allow a remote attacker     to bypass security features through flaws in JAX-WS.
    (CVE-2014-0458, CVE-2014-2423)

  - An unspecified vulnerability exists in Oracle Java     via sandboxed applications.
    (CVE-2014-0459)

  - A vulnerability in Oracle Java allows remote attackers     to conduct spoofing attacks via a flaw in the DnsClient     component. (CVE-2014-0460)

  - A vulnerability in Oracle Java allows remote code     execution via a flaw in ScriptEngineManager.java.
    (CVE-2014-0461)

  - A vulnerability in Oracle Java allows a remote attacker     to bypass security features through flaws in the random     number generation of cryptographic protection.
    (CVE-2014-0878)

  - A privilege escalation vulnerability in Oracle Java     allows remote attacks to overwrite arbitrary files     via a flaw in unpack200. (CVE-2014-1876)

  - A vulnerability in Oracle Java allows remote code     execution via a flaw in Javadoc. (CVE-2014-2398)

  - A vulnerability in Oracle Java allows a remote attacker     to bypass security features through flaws in     asynchronous channel handling across threads.
    (CVE-2014-2402)

  - Vulnerabilities in Oracle Java allow a remote attacker     to bypass security features through flaws in JAXB.
    (CVE-2014-2414)

  - A vulnerability in Oracle Java allows a remote attacker     to bypass security features through flaws in Java sound     libraries. (CVE-2014-2427)

IBM Java 7 was updated to version SR7, which received security and bug fixes.

More information is available at:
http://www.ibm.com/developerworks/java/jdk/aix/j764/Java7_64.fixes.htm l#SR7

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-0457, CVE-2014-2421, CVE-2014-0429, CVE-2014-0461, CVE-2014-0455, CVE-2014-2428, CVE-2014-0448, CVE-2014-0454, CVE-2014-0446, CVE-2014-0452, CVE-2014-0451, CVE-2014-2402, CVE-2014-2423, CVE-2014-2427, CVE-2014-0458, CVE-2014-2414, CVE-2014-2412, CVE-2014-2409, CVE-2014-0460, CVE-2013-6954, CVE-2013-6629, CVE-2014-2401, CVE-2014-0449, CVE-2014-0459, CVE-2014-0453, CVE-2014-2398, CVE-2014-1876, CVE-2014-2420)

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR7 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428)

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 55 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 8 Update 5, 7 Update 55, 6 Update 75, or 5 Update 65.  It is, therefore, potentially affected by security issues in the following components :

  - 2D
  - AWT
  - Deployment
  - Hotspot
  - JAX-WS
  - JAXB
  - JAXP
  - JNDI
  - JavaFX
  - Javadoc
  - Libraries
  - Scripting
  - Security
  - Sound

ID	Name	Product	Family	Severity
81370	GLSA-201502-12 : Oracle JRE/JDK: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
79010	RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2014:0413)	Nessus	Red Hat Local Security Checks	critical
77812	IBM Notes 9.0.x < 9.0.1 Fix Pack 2 Multiple Vulnerabilities	Nessus	Windows	critical
77811	IBM Domino 9.0.x < 9.0.1 Fix Pack 2 Multiple Vulnerabilities (credentialed check) (POODLE)	Nessus	Windows	critical
77810	IBM Domino 9.x < 9.0.1 Fix Pack 2 Multiple Vulnerabilities (uncredentialed check)	Nessus	Misc.	critical
76900	RHEL 7 : java-1.7.1-ibm (RHSA-2014:0705)	Nessus	Red Hat Local Security Checks	critical
76870	AIX Java Advisory : java_apr2014_advisory.asc	Nessus	AIX Local Security Checks	critical
74254	SuSE 11.3 Security Update : IBM Java 7 (SAT Patch Number 9263)	Nessus	SuSE Local Security Checks	critical
74005	RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2014:0486)	Nessus	Red Hat Local Security Checks	critical
73608	RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2014:0412)	Nessus	Red Hat Local Security Checks	critical
73571	Oracle Java SE Multiple Vulnerabilities (April 2014 CPU) (Unix)	Nessus	Misc.	critical
73570	Oracle Java SE Multiple Vulnerabilities (April 2014 CPU)	Nessus	Windows	critical

CVE-2014-0448

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins